Not all that long ago, open source was viewed with skepticism and suspicion by IT professionals. While many saw the value that open source could deliver, others doubted its long-term viability or security. As we've seen over the past few years, though, these fears are largely falling by the wayside as organizations open up their code to the community.

Opening up code is one thing, however, for this trend to continue unabated without any negative impact, companies need to carefully consider how they pursue open source. Specifically, firms need to embrace open source security tools, such as our scanning and governance resources, to fully ensure that IT leaders are completely aware of where and how open source is being deployed throughout the organization. Here’s why.

Open source for cybersecurity

First and foremost, it is important that we establish that open source is a lot like other IT services: It can absolutely be secure, as long as it is approached appropriately.

To highlight both the value and potential security of open source solutions, consider the recent announcement that the U.S. Army released a piece of open source code to help other government organizations combat cyberattackers. The Army has used this program, known as Dshell, for nearly five years as it investigated successful cyberattacks aimed at the Department of Defense. As William Glodek, Network Security branch chief for the U.S. Army Research Laboratory, explained, Dshell serves as a framework for developers to create their own customized analysis modules, based on cybersecurity compromises they've examined. This flexibility means that Dshell will likely prove useful to both federal agencies beyond the armed services and private sector firms, he stated.

"Outside of government there are a wide variety of cyberthreats that are similar to what we face here at ARL," said Glodek. "Dshell can help facilitate the transition of knowledge and understanding to our partners in academia and industry who face the same problems."

Keeping open source safe

In many ways, this release highlights many of the best, most powerful aspects of open source in general. Glodek emphasized the Army's desire to work collaboratively with other DOD agencies and partners outside the government to develop stronger, more resilient code. This demonstrates the ways that open source communities are able to produce optimized software. Also, the simple fact that the U.S. Army feels comfortable releasing, utilizing and working collectively on a piece of open source software demonstrates its trustworthiness.

But it's also key to remember that open source can prove problematic when companies take a hands-off approach. Just look at Heartbleed, Shellshock and now Ghost – all of these represent vulnerabilities in widely used software systems.

The biggest issue is not that open source solutions may be flawed, but rather that company leaders often do not know which open source tools they have deployed throughout their organizations. When this is the case, decision-makers are unable to respond quickly and effectively to any security issues that may arise.

That's why open source scanning and governance solutions are so imperative. These tools allow a company to quickly and easily identify where, when and how open source is being used. This type of insight vastly improves the quality of any given company's cybersecurity, allowing the business to take full advantage of open source tools with minimal risk.

Going forward with open source

To further illustrate why companies are increasingly turning to open source solutions, ReadWrite contributor Matt Asay recently highlighted several of the biggest advantages of open sourcing their own code. While the advantages of using already-available open source code are relatively straightforward, firms opening up their own code for external use may seem less intuitive.

As Asay pointed out, though, open sourcing code can make it even stronger, as outsiders offer their own contributions. This effect, known as a force multiplier, will help make the organization more productive and efficient.

Furthermore, Asay emphasized that talented software developers will be impressed by your company's open source contributions, making them more inclined to seek out employment with your firm. In this sense, embracing open source fully can be a powerful recruitment tool.

Last week, the GHOST flaw was revealed to have a potentially serious effect on many Linux systems around the world – and Rogue Wave Software was right on top of it. This buffer overflow problem affects the gethostbyname() and gethostbyname2() function calls in the glibc library common to many Linux systems and can allow remote attackers to execute arbitrary code with the permissions of the user running the application.

Use of open source software such as this is monitored by the OpenLogic OpenUpdate program. Users of OpenLogic are immediately notified of security vulnerabilities, as reported by the National Vulnerability Database, and informed of remedies and workarounds, if available. Here’s a portion of the OpenUpdate notification for the GHOST flaw as it went out to users last week:

Updates are available for CentOS 5, 6 and 7 (all architectures). Debian/Ubuntu systems have already updated the packages so you can simply upgrade them. It is also recommended that you run updates on the OS afterwards.

With OpenUpdate, you don’t have to worry about keeping tabs on security issues like GHOST or Heartbleed, OpenLogic does it for you. Proactive, specific, and actionable information is what OpenUpdate is all about.

For more information about OpenLogic and to schedule a free demonstration, visit www.openlogic.com.

Everyone understands the need to protect themselves and their organizations from the threats poised by cyberattackers, malware, viruses and other digital dangers. It’s one of the leading reasons why business and IT leaders are so often afraid of embracing new, unproven solutions. Many of these decision-makers have the mindset that it’s safer to stick with popular systems that have been proven resilient over time.

There's a problem with this line of thinking, though: popular systems are also vulnerable to all of these cyberthreats, and more. Just because a solution is widely used, does not mean that it is totally safe. Not at all.

The recent emergence of GHOST is a case in point. GHOST is a Linux-specific vulnerability that can potentially compromise users’ control of their systems. Naturally, this could cause tremendous damage to a huge number of individuals and organizations around the world. It should serve as a reminder of the need for open source software security solutions, even when companies are relying solely upon seemingly dependable systems.

“The buffer overflow flaw resides in __nss_hostname_digits_dots(), a glibc function that’s invoked by the gethostbyname() and gethostbyname2() function calls,” Ars Technica explained. “A remote attacker able to call either of these functions could exploit the flaw to execute arbitrary code with the permissions of the user running the application.”

The source noted that this vulnerability affects almost every piece of Linux-based software that performs domain name resolution. This means that the flaw could spread quickly.

“There could be a lot of collateral damage on the Internet if this exploit gets published publicly, which it looks like they plan to do, and if other people start to write exploits for other targets,” Jon Oberheide, a Linux security expert, told Ars Technica.

Amol Sarwate, director of engineering with Qualys, noted that there have not been any known cases of hackers exploiting the GHOST vulnerability as of yet. However, as Reuters reported, Sarwate emphasized that this does not mean companies using Linux are safe.

“We were able to do it. We think somebody with good security knowledge would also be able to do it,” he said, the source reported.

Preventative measures

Clearly, all of this highlights the need for organizations to take preventative measures to protect themselves. But that’s not the only takeaway. Just as importantly, this incident goes to show that many companies could easily be much better protected if they only embraced the right tools and paid closer attention to the cybersecurity threat landscape.

Why? Because, as Ars Technica noted, a patch to fix this Linux vulnerability was released two whole years ago. Yet most versions of Linux currently in use lack this correction.

The open source community is a valuable asset to software development. A place where people can share, learn, explore, and grow – an environment that strives on working together. In support of this community, Rogue Wave Software has released our ThreadSpotter product as an open source product with help from our partner, ParaTools.

The release of ThreadSpotter extends our participation in the open source community, adding to our commitment to build confidence in open source with products such as the OpenLogic scanning and governance platform. We appreciate that open source is vital to the success of application development and we want to continue our involvement in such a strong community.

The ThreadSpotter source code has been released under a LGPL license. You can get a pre-built binary in a LiveDVD (ISO) and a Virtual Machine (OVA) image at http://www.hpclinux.com. Or, if you're attending this year's Supercomputing 2014 conference, you can stop by the ParaTools booth to pick up a DVD. Once you like what you see, you can get fee-based support with a subscription.

ThreadSpotter will help you understand and improve the runtime performance of your applications by identifying areas where the program is using processor cache memory, and in some cases suggests ways to restructure the code to make more effective use of the cache memory.

Sometimes you may not think about cache behavior when you write algorithms, and several popular programming paradigms encourage programming styles that can lead to very inefficient use of cache memory. Good use of cache memory can easily make an order of magnitude (or a factor of 10) difference on program performance. It can also act as a limiting factor on scalability and the ability of the program to run on multicore processors.

ThreadSpotter excels where other tools and techniques for cache performance analysis fail. These other tools tend to give very low level information that comes directly from hardware counters, such as the raw number of cache misses. Interpreting low level hardware counter data takes significant expertise. ThreadSpotter points you towards the lines of code that are problematic and provides an easy explanation of what about that section of code causes it to make poor use of the cache.

Get to know ThreadSpotter, code with ThreadSpotter, and enjoy the gift of open source.

Open source software has never been more popular. Companies now regularly turn to these solutions for a huge range of purposes, and see major benefits as a result. Open source has the potential to be more cost-effective, flexible and reliable than licensed software.

But if there's one issue holding back greater open source adoption, it's security. Many business leaders harbor fears regarding the integrity of open source solutions – concerns that were greatly exacerbated by the discovery of the Heartbleed vulnerability in the OpenSSL encryption library. While this was undoubtedly a major eye-opener in the realm of open source security, the fact of the matter is that open source solutions can be just as secure, or even more secure, than licensed software. This security can only be achieved when pursued with the proper tools and strategies.

Verification needed
One of the reasons why open source software can deliver superior security relative to traditional solutions is its verification capabilities. As Network World contributor Rob Howard recently asserted, software security in the enterprise used to rely heavily on brand trust. Now, though, such an arrangement is no longer so practical. The rise of cloud computing means that large amounts of corporate data are stored off-site by a range of third-party service providers. With such high stakes, relying solely on trust is not acceptable.

Open source avoids this issue by offering far greater transparency, Howard explained. End-users are able to actually verify the security of the services they utilize by examining the code being used. With propriety software, this isn't possible.

Of course, this is only a benefit when businesses take advantage of the opportunity. To ensure that a given piece of open source code is truly secure, firms need to apply high-quality security tools to these offerings. Specifically, businesses should utilize governance solutions that can identify potential problems and ensure dependability.

Quality control
Open source software can also deliver superior security, along with better performance, thanks to the code selection process. As The Huffington Post contributor Vala Afshar highlighted, a recent Future of Open Source survey from North Bridge Venture Partners found that 80 percent of open source software users have gone this route thanks to the better quality of available code. He pointed out that open source, by its nature, removes boundaries, allowing developers from beyond any single company to "participate, debate, compromise and inspire each other" as they create open source code.

The result of these collaborative efforts is a superior product than can usually be developed by any one organization. The code produced can not only deliver better performance, but it can also be more reliable and secure. The popular expression that "with enough eyes, all bugs are shallow" is proven true with these projects.

Managing vulnerabilities
All that being said, there's no doubt that software developers leveraging open source solutions need to be vigilant to ensure the security of their code.

Writing for Sys-Con, Lacy Thoms recently emphasized the importance of exercising caution when adopting open source solutions. In particular, she offered three best practices for minimizing the risk of vulnerabilities causing problems in an open source environment.

First, Thoms asserted that developers should always research a given open source project prior to deployment. Any reports of previously discovered vulnerabilities need to be taken into account.

Next, developers should always strive to use the most recent and actively maintained open source projects available.

Recently, one of my account executives asked: “Why does IMSL go to such lengths to add error handling?”

Well, because our customers can’t afford even just one wrong answer.

I also get asked: “Why can’t I just use open source algorithms? Don’t they produce the same results?”

Simply put, open source algorithms are not always the best answer. IMSL Numerical Libraries offer more error handling than open source libraries (and sometimes, they offer none!). I hear stories of using open source libraries where research or business decisions are based on results from algorithms that are later found to be incorrect. Or the problems were ill-conditioned for the algorithm selected, yet the algorithm provided an answer.

IMSL has been around for over 40 years, so our customers trust the results. We first verify proper input to set up the problem and, if something looks wrong, tell them why the input is incorrect. Second, we inform them during execution whether the algorithm is making good progress or not, we check for any ill-conditioning that cannot be determined strictly from input parameters, and we check for numerical instability that might cause the execution of the algorithm to crash unexpectedly. The resulting error message provides a nice exit from the algorithm and provides suggestions of what to do next. IMSL error messages can be caught, allowing the calling program to determine next steps based on the error caught from IMSL. Open source algorithms don’t offer this level of security.

Without proper error checking in IMSL, the algorithms might provide incorrect results or solve ill-conditioned problems and provide results that are incorrect. Worse case, without proper error checking, an algorithm could cause the application to crash unexpectedly.

Another critical feature about the IMSL algorithms is their optional arguments, which allow a great deal of flexibility, allowing the user to have control over how the algorithm behaves.

In IMSL, computations are not affected by underflow if the system replaces an underflow with the value zero. Therefore, normally system error messages indicating underflow can be ignored. IMSL also avoids overflow. A program that produces system error messages indicating overflow should be examined for programming errors such as incorrect input data, mismatch of argument types, or improper dimensions. In many cases, to help the developer out, the documentation for a function points out common pitfalls that can lead to failure of the algorithm.

When you want to know exactly what’s going on – and need to know whether the algorithm is working correctly – ditch the open source algorithms and use IMSL Numerical Libraries.

Without question, open source software continues to grow more popular around the world. Individuals and organizations from every region and sector now leverage these tools for a wide range of purposes and experience significant benefits as a result.

Yet despite this progress, the future of open source software remains unclear in a number of different areas. Notably, it is difficult to predict whether commercial open source products will eventually prove viable, as Forbes contributor Adrian Bridgwater recently discussed.

Commercial open source issuesBridgwater noted that open source solutions are now widely used in various capacities, and in some fields have become dominant. For example, he pointed out that Hadoop is the biggest name when it comes to big data analytics applications.

But the popularity of this and other open source software offerings does not reveal much about the viability of commercial open source solutions, the writer asserted. There have been some efforts in the direction in the past – most notably, Sun Microsystems and its "free until you need maintenance and support" model – but thus far commercial open source remains more of a concept than an actual, viable business strategy.

For commercial open source to work, Bridgwater suggested that the mechanics would have to involve making application code libraries static, rather than dynamic. This would make the libraries certifiable. In this arrangement, the Free and Open Source Software community would have the ability to propose alterations and improvements to public code repositories while the static libraries could be removed, optimized or certified as needed.

This would protect critical, sensitive systems, such as aircraft cockpit control units, from being modified by open source enthusiasts or students who lack the expertise or responsibility to confidently update these codes. However, Bridgwater acknowledged that such a deployment would potentially undercut new innovation, which relies largely on the input from a wide range of volunteers.

Viability questionsThe above scenario could serve as a model for commercial open source efforts, but this does not mean that such a model would prove viable for any organization. According to Bridgwater, though, there is good reason to suspect that these offerings will arise in the near future.

The writer pointed out that the focus on customer support's importance has never been greater. Boriana Ditcheva, Web development director at the North Carolina Biotechnology Center, recently contributed to opensource.com, arguing that open source communities offer superior assistance compared to traditional technical support. This suggests that there is a market for commercial products that deliver user assistance in an open source fashion.

Proprietary and open source software togetherRegardless of whether commercial open source software becomes a field in its own right, companies are already leveraging open source as a means of adding value to their proprietary offerings, as The Server Side recently highlighted.

The source explained that when a start up or other software provider goes out of business or is bought out by a competitor, its software offerings no longer receive support. Any organizations that have invested in these software solutions will suddenly find themselves out of luck. This state of affairs hurts not just the directly affected companies, but also software developers, as they now face an additional hurdle when trying to convince potential customers to embrace their solutions.

According to The Server Side, many firms now combat this state of affairs by leveraging open source strategies. By merging their proprietary software with open source, organizations can ensure that their software remains supportable even if the company can no longer offer support itself. This increases consumer confidence and further establishes the importance of open source software as a business model.

The U.S. government has long had a reputation for slowness to adapt to new technologies. The massive size and scope of federal bureaucracy slows the government's reaction time. Yet despite this reputation, there are plenty of examples of government departments taking proactive steps to embrace new IT initiatives in order to improve their performance and capabilities.

Open source software is a case in point. As InfoWorld contributor Matt Assay recently highlighted, the government now recognizes the potential value inherent to open source solutions and is increasingly turning to these offerings rather than proprietary tools.

Open source initiativesTo emphasize the government's newfound appreciation for open source software, Assay pointed to GitHub's government evangelist, Ben Balter. Balter revealed that GitHub now has more than 10,000 active government users on its network. This represents a tremendous amount of growth, as GitHub had fewer than half that number of government users last year.

Furthermore, Assay noted that these users have created nearly 8,000 GitHub repositories for government services.

"While many of these repositories likely house somewhat useless code, similar to nongovernment open source repositories, it's a clear signal of intent," Assay explained.

The writer also pointed out that the federal government recently initiated a new IT guiding principle which instructs agency leaders to always default to open source when looking at new technology. He quoted the U.S. Digital Services Playbook, which states that "[b]y building services more openly and publishing open data, we simplify the public's access to government services and information, allow the public to easily provide fixes and contributions, and enable reuse by entrepreneurs, nonprofits, other agencies and the public."

Clearly, the establishment of such a policy, along with the growing prevalence of government user's GitHub repositories, points to a significant shift across the government as a whole. Open source solutions are quickly becoming standardized.

Obstacles remainHowever, Assay cautioned that open source in the government still has a long way to go. Notably, there is still the issue of a lack of open source experience among government personnel. Lorelei Kelly, a research fellow at the Open Technology Institute, told the writer that many IT professionals simply assume everyone who works for the government must know what open source is, but this is not the case. Instead, it is predominantly the younger personnel who have an understanding of open source technology.

While this bodes well for the distant future, it presents a major challenge in the short-term. If older government employees don't even really know what open source is, they can't be expected to embrace and effectively leverage these resources.

Accepting open sourceHowever, this does not mean that government agency leaders cannot hope to fully embrace open source software in their departments. Rather, decision-makers must take steps to make the use of open source as simple and effective as possible.

Education must play a major role here. Government employees should have the opportunity to attend classes and receive training to help them understand and take advantage of open source. There are inevitably many workers who are intimidated by these tools but, with a little exposure, would realize how simple and beneficial open source software can be.

Additionally, government agencies need to invest in the right supplemental tools to guarantee open source software's effectiveness. A key resource in this capacity is scanning technology. With high-quality scanning, departments can quickly and effectively discover any potential vulnerabilities before they cause problems, thereby ensuring that no government workers run into serious complications when leveraging open source tools. Such reliability is a key advantage of open source, but only possible with the right resources in place.

As the advantages offered by open source software strategies become increasingly clear, many organizations in the public sector are turning to this approach. In terms of both performance and cost-effectiveness, open source is often the ideal choice for government agencies.

The latest department to follow this line of thought is the General Services Administration. As FedScoop reported, the GSA recently announced a new policy which will require the priority consideration of open source options whenever the agency begins to develop a new IT project.

Open source for ITThe news source noted that this is a somewhat controversial decision. Some observers question whether open source software solutions will be able to meet the GSA’s IT needs to the same degree as proprietary software. However, Sonny Hashmi, chief information officer for the GSA, is confident that looking to open source first is the best option for the agency.

“During the process of vetting new software, GSA plans to implement a process where open source software is considered within the ranks of conventional software,” Hashmi told the news source. “We are confident that our vetting process will identify the best software for each IT solution based on the merits of the software, while also factoring in cost, support, security and a myriad of other factors.”

Looking for government solutionsFedScoop reported that the GSA will specifically look at other federal agencies for inspiration as to how to best implement open source solutions. Hashmi pointed to the Food and Drug Administration’s openFDA as a key example of a successful open source implementation that yielded positive results.

“When the Food and Drug Administration built out openFDA, an API that lets you query adverse drug events, they did so in the open,” Hashmi said, according to the news source. “Because the source code was being published online to the public, a volunteer was able to review the code and find an issue. The volunteer not only identified the issue, but provided a solution to the team that was accepted as a part of the final product.”

Hashmi went on to argue that all solutions created using taxpayer dollars should be open source, so the general public can benefit from these developments.

Open source benefitsGunnar Hellekson, chief technology strategist for the U.S. public sector for Red Hat, argued that the GSA’s adoption of an open source-first policy will yield tremendous benefits for the agency.

“You use open source because it can be cheaper, easier to procure, more flexible, and gives you access to a community of developers and users that’s rare with proprietary software,” said Hellekson, the news source reported. “This kind of policy is already the de facto standard in the commercial world, and for good reason: Open source often provides more options, more innovation and better software for less money.”

Flexibility advantagesAdditionally, it is important to note that other government organizations have turned to open source solutions not just for efficiency and cost-savings, but also to achieve superior control over their software implementations. After all, proprietary solutions are by nature far less flexible than open source code. Many proprietary software developers demand that clients, including public sector organizations, agree to rigid contracts, which can further limit expansion and evolution over time. With open source, agencies can enjoy a much greater degree of freedom, which is critical for fast-changing IT environments.

By embracing open source software at an accelerating degree, many government agencies are positioning themselves to respond more quickly and effectively to the country’s needs in the coming years.

OpenLogic has taken all necessary measures to ensure our customers are protected from the critical vulnerabilities represented by CVE-2014-6271 and CVE-2014-7169, also known as Shellshock. All OpenLogic infrastructures have been updated and patched to protect from exploitation by Shellshock:

OpenLogic Governance, Support, and Audit services OpenLogic Governance, Support, and Audit systems are secure and have been patched for the Shellshock flaw.

Microsoft Azure Platform OpenLogic Microsoft Azure CentOS images are currently being updated, and new images will be published shortly. We highly recommend that users update to prevent the security risks involved with this bug. To do this, update the installed version of the Bash package to the latest version by running the following command in a default environment:

$sudo yum update bash

OpenLogic Amazon AWS Marketplace ImagesOpenLogic Amazon AWS Marketplace offerings are currently being updated to include patched versions of Bash and new images will be published shortly. We highly recommend that users with currently running systems continue to pull community updates to prevent the security risks involved with this bug. To do this, update the installed version of the Bash package to the latest version by running the following command:

As the situation continues to develop, we will endeavor to keep our customers apprised of actions they must take to remain protected from exploitation through these vulnerabilities. As always, you can receive notifications about our latest updates through OpenUpdate Notifications.